The messages are directed toward the WordPress site on my server. These are coming from the access_log, and I don't know if this should worry me or not.

There are well over a hundred lines of the same message spanning over a few seconds each time. If you don't know what I mean, here are the logs: - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-" - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"

I just did a count for all instances for these two IP addresses, and it was accessed at least over 100,000 different times, since the 22nd.

2 Answers 2


Someone is trying to brute-force your login page. HTTP POST requests are used for HTML form data, which in the case of a wp-login.php page will likely be the username/password form.

For WordPress specifically, you should read this wiki page, which mentions a number of useful steps to take and protect your instance, such as:

  • not using the admin username
  • picking a strong password
  • using plugins to restrict login attempts at WordPress, Apache or server level
  • htpasswd-protecting the page (with the help of a generator)

In any case, setting up fail2ban is something you should definitely consider. It will restrict the number of times a certain IP may try to log into your machine (e.g. over FTP, SSH, etc.).

  • I attempted to setup fail2ban but it then made it impossible to access my server. Was able to use safe reboot, but wasn't able to remove it or anything. I googled my issue, and I found that others that were on Centos 7 were having the same problem. Luckily for me, I had nothing on the server so I just reinstalled the OS which took a few min.
    – travis
    Commented Oct 26, 2014 at 19:56
  • 2
    Ah, that's unfortunate. I haven't had issues with it on my CentOS server. Normally it shouldn't interfere so much.
    – slhck
    Commented Oct 26, 2014 at 19:58
  • Another thing worth considering is PeerGuardian.
    – paradroid
    Commented Oct 27, 2014 at 1:49
  • 2
    @travis That's something to be expected when you have password based SSH logins.. You should consider using SSH keys for authentication and disabling the SSH password based login entirely, and it's probably also a good idea to change the default SSH port on your server
    – Winter
    Commented Oct 27, 2014 at 3:34
  • 1
    @glglgl It's a deterrent. It stops someone from going "I wonder if this is insecure..." - won't stop a directed attack, but will stop a casual hacker. "Somewhere else is easier."
    – user218544
    Commented Oct 27, 2014 at 16:09

It looks like brute force hacking attempts to get into the admin console of the WordPress site. I get these all the time on my WordPress sites. If you had a user called admin with the password 'pass', they would certainly have got in by now.

Install a security plugin that will block IP addresses after a certain number of login attempts. I use Wordfence.

  • 4
    Those IP addresses seem to be coming from CloudFlare CDN servers in San Francisco and Japan, which is a bit weird.
    – paradroid
    Commented Oct 26, 2014 at 19:41
  • I'd expect that means the site is behind CloudFlare. There's probably an X-Forwarded-For header something like mod_rpaf could use, but it's not set up to
    – ceejayoz
    Commented Oct 27, 2014 at 13:00
  • @ceejayoz I'm not sure what you mean. As wp-login.php is not a static file, it will not be on the CDN anyway. I don't understand why these incoming connections seem to be coming from CloudFlare CDN servers. Perhaps CloudFlare also does server hosting?
    – paradroid
    Commented Oct 27, 2014 at 18:38
  • You can (and usually do) point your entire domain at CloudFlare. That means incoming requests - GET and POST, dynamic or static - go through CloudFlare first, and thus would have their IPs.
    – ceejayoz
    Commented Oct 27, 2014 at 19:42

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .